How To Install FreeRADIUS On Ubuntu Server

Don’t let Wi-Fi be the weakest link in security. Securing user credentials via Wi-Fi shouldn’t be taken lightly. In my Wi-Fi lab I use FreeRADIUS for authenticating Wi-Fi users with 802.1X.

FreeRADIUS is an open source RADIUS server used by many organizations. It performs AAA functions, supporting many authentication protocols and is widely popular because it is modular and scalable.

In 802.1X, and in my lab, FreeRADIUS will play the role of the authentication server. FreeRADIUS can be the proxy to another authentication server such as Active Directory.

Without going into too much detail, 802.1X has three components:

Supplicant (mobile device)

Authenticator (AP)

Authentication Server (FreeRADIUS)

The supplicant will request to join an SSID, the authenticator will request an identity from the mobile device, the authenticator forwards the identity to the authentication server which will reply back with a success or deny.

This guide will get you up and running quickly with FreeRADIUS on Ubuntu server using EAP-TTLS.

My FreeRADIUS deployment was done on Ubuntu 16.04.1 LTS which I have running as a VM on my Intel NUC.

1. Install FreeRADIUS

Installing FreeRADIUS is the easiest part of this guide. It can be done with apt-get. Installing FreeRADIUS will also install dependencies and additional packages required for operation.

4. Review the Configuration Files

Increase the default value of 1024 if you’re planning on having more than 4 clients authenticating at a time.

# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024

Here is where we tell FreeRADIUS to look for authorized clients (authenticators).

Configuration file for your clients (access points or controllers)

# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf

Further down in the radiusd.conf file is where defined EAP methods are located, which is the eap.conf file.

EAP configuration file to define EAP methods used:

# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf

5. Add Clients

The word “clients” can be deceiving but in FreeRADIUS terms this means the authenticators such as the APs or WLAN controllers. We want to verify that only authorized authenticators are used on our network. The authenticators and the authentication server will use shared secrets to verify each other.

Open the clients.conf file to add your authenticator(s).

If your APs or controllers are on a specific network, you can define the whole network or you can specify a secret for individual clients.

6. Define EAP Methods

Now the fun part is knowing which EAP methods you want to use. I won’t do an in-depth EAP tutorial on this thread. Just know that in this lab I am using EAP-TTLS because it requires the use of a server-side certificate but client certificates are optional.

By default, FreeRadius will use MD5 which is not very strong.

eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5

Comment out default_eap_type = md5 string and add in:

default_eap_type = ttls

FreeRadius comes with a server certificate by default which we will use for initial testing.

Comment out the Supported EAP types of MD5, LEAP, GTC

Under ttls, change default_eap_type to mschapv2

ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = mschapv2

7. Add Users

Let’s add users which will authenticate to this RADIUS server. Edit the users file with this command:

In this scenario, users are defined in a file using clear text passwords. Not the smartest thing to do in production. If you do go this route, you must secure this server very well.

8. Test Authentication

Run a quick test to see if FreeRADIUS will accept the newly created username and password. Running this from the server means you will have to use the secret configured for the localhost which is defined in the clients.conf file:

Now you have a FreeRADIUS server ready to authenticate users on your Wi-Fi network. Next step is to configure an access point or controller to point to your RADIUS server. Keep in mind that these authenticators are listed in the clients.conf file with their passwords. The password will be configured on the AP or controller.